Will permissions change if we switch from internal to external directory

We may not have our LDAP server ready when we bring up our Stash server, so we were wondering if the project and repository permissions will remain the same when we switch from internal user accounts to LDAP authenticated accounts, external directory.



2 answers

1 accepted

0 votes
Accepted answer
Seb Ruiz Atlassian Team Feb 06, 2013

Hi Rex,

I am not sure that this will work with Stash. Stash references users by their primary key in the database (an integer) and not by the username (which may be what JIRA does).

As such, creating a user "rex" internally may have the user id 1, but when you switch to your LDAP backed user source the user "rex" may end up with id 400. As such, permissions will not be preserved.

I will have to investigate this more and look into our implementation or try it out.


Thanks, Seb and Daniel,

That was our exact concern, so I appreciate the information. We may do a live prototype with the 10 user license, in which case it wouldn't be as painful if we had to export/modify/import user/group and permission information, or even recreate it all by hand.

I sure appreciate your answers.



I think we will use local user/group accounts, then add LDAP for authentication only. We will continue to use Stash to administer user accounts.

Thanks for your help.

When you mention "LDAP Authenticated Accounts - external Directory", you mean using a Directory Connector, yes?

Permissions are tied to groups, and if those groups are created in the internal directory (locally), then you have to make sure you recreate them either inside your LDAP itself, or set the LDAP permissions to *Read only, with local groups* and then recreate the groups in JIRA.

A simpler way would be to use Internal Directory With Delegated LDAP Authentication, then you will be able to copy your existing groups from the internal directory to the Internal Directory using Delegated Auth.

Thanks, Daniel,

We will probably use the LDAP Directory Connector and "Read only, with local groups", then I'll have to recreate the groups as you suggested.

I appreciate the quick answer!


Hello Rex,

Note that you will also have to manually re-add your users to those groups!

Hi Rex,

I think I might have worded it abit too plainly. IF you are using "Read only, with local groups", then the groups already previously created in your internal directory can be used, and you must assign your LDAP users to those groups. Here is the paragraph from the documentation:

Read Only, with Local Groups

LDAP users, groups and memberships are retrieved from your directory server and can only be modified via your directory server. You cannot modify LDAP users, groups or memberships via the application administration screens. However, you can add groups to the internal directory and add LDAP users to those groups.


Additionally, you can set the option to automatically add users to local groups when they login, such as the all-important jira-users group.

Seb Ruiz Atlassian Team Feb 06, 2013

Hi Daniel,

Rex is currently asking about connecting Stash with LDAP, so I am not sure if your JIRA documentation links are actually relevant. Have you checked in Stash?



Suggest an answer

Log in or Sign up to answer
Community showcase
Published Nov 06, 2018 in Bitbucket

Upgrade Best Practices

Hello! My name is Mark Askew and I am a Premier Support Engineer for products Bitbucket Server/Data Center, Fisheye & Crucible. Today, I want to bring the discussion that Jennifer, Matt, and ...

657 views 5 9
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you